diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml new file mode 100644 index 0000000000..f758d99284 --- /dev/null +++ b/.github/actions/az-sync/action.yml @@ -0,0 +1,64 @@ +name: Sync Secrets from Azure Key Vault +author: s.breen +description: az-sync +inputs: + az_client_id: + description: 'Azure Client ID' + required: true + az_tenant_id: + description: 'Azure Tenant ID' + required: true + az_subscription_id: + description: 'Azure Subscription ID' + required: true + keyvault: + description: 'Azure Key Vault name' + required: true + secrets-filter: + description: 'Filter for secrets to sync (comma-separated patterns)' + required: true + default: '*' +runs: + using: "composite" + steps: + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ inputs.az_client_id }} + tenant-id: ${{ inputs.az_tenant_id }} + subscription-id: ${{ inputs.az_subscription_id }} + + - name: Sync + shell: bash + run: | + IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}" + for pattern in "${array[@]}"; do + echo "Processing pattern: $pattern" + for secret_name in $(az keyvault secret list --vault-name "${{ inputs.keyvault }}" --query "[?contains(name, '$pattern')].name" -o tsv); do + secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault }}" --query value -o tsv) + # check if value is multiline + if [[ "$secret_value" == *$'\n'* ]]; then + # Mask each line for multiline secrets + while IFS= read -r line; do + [[ -n "$line" ]] && echo "::add-mask::${line}" + done <<< "$secret_value" + + # Use heredoc syntax for multiline environment variables + delimiter="EOF_${secret_name}_$(date +%s)" + { + echo "${secret_name}<<${delimiter}" + echo "$secret_value" + echo "$delimiter" + } >> $GITHUB_ENV + else + echo "::add-mask::${secret_value}" + echo "$secret_name=$secret_value" >> $GITHUB_ENV + fi + echo "Synced secret: env.$secret_name" + done + done + + - name: Azure logout + shell: bash + run: | + az logout diff --git a/.github/actions/configure-goproxy/action.yml b/.github/actions/configure-goproxy/action.yml index c9c825fc98..f7147f7b39 100644 --- a/.github/actions/configure-goproxy/action.yml +++ b/.github/actions/configure-goproxy/action.yml @@ -1,19 +1,6 @@ name: configure-goproxy author: s.breen -description: Sets the current Go module proxy based on the presence of a private proxy URL in secrets -inputs: - user: - description: Artifactory username secret name - required: false - default: "" - token: - description: Artifactory token secret name - required: false - default: "" - url: - description: Artifactory URL - required: false - default: "" +description: Sets the current Go module proxy based on the presence of a private proxy URL in environment variables. runs: using: 'composite' steps: @@ -21,16 +8,16 @@ runs: id: configure-goproxy shell: bash run: | - if [[ -z "${{ inputs.user }}" ]] || \ - [[ -z "${{ inputs.token }}" ]] || \ - [[ -z "${{ inputs.url }}" ]] || \ + if [[ -z "${{ env.artifactory-user }}" ]] || \ + [[ -z "${{ env.artifactory-token }}" ]] || \ + [[ -z "${{ env.artifactory-url-dev }}" ]] || \ [[ "${{ github.event.pull_request.head.repo.fork }}" == 'true' ]] || [[ "${{ startsWith(github.head_ref, 'dependabot-')}}" == 'true' ]] ; then echo "No Artifactory secrets available - using direct GOPROXY" GOPROXY_VALUE="direct" else echo "Development mode - using dev Artifactory" - GOPROXY_VALUE="https://${{ inputs.user }}:${{ inputs.token }}@${{ inputs.url }}" + GOPROXY_VALUE="https://${{ env.artifactory-user }}:${{ env.artifactory-token }}@${{ env.artifactory-url-dev }}" fi echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 1fce5bf105..227e1ad4e2 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -16,28 +16,6 @@ on: type: boolean required: false default: false - workflow_call: - inputs: - packageVersion: - description: 'Agent version' - type: string - required: true - runId: - description: 'Run ID of the workflow that built the artifacts' - type: string - required: false - signAssertion: - description: 'Sign and store the assertion document' - type: boolean - required: false - default: false - secrets: - ARTIFACTORY_USER: - required: true - ARTIFACTORY_TOKEN: - required: true - ARTIFACTORY_URL: - required: true permissions: contents: read @@ -48,10 +26,8 @@ jobs: runs-on: ubuntu-22.04 if: ${{ !github.event.pull_request.head.repo.fork }} permissions: - id-token: write - contents: read - env: - GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL }}" + id-token: write # for OIDC authentication + contents: read # Needed to download artifacts strategy: matrix: osarch: [amd64, arm64] @@ -59,12 +35,6 @@ jobs: - name: Checkout Repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - name: Set up Go - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: false - - name: Download nginx-agent binary artifacts if: ${{ inputs.runId != '' }} uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0 @@ -97,9 +67,9 @@ jobs: builder-id: 'github.com' builder-version: '${{env.GO_VERSION}}_test' invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} - artifactory-user: ${{ secrets.ARTIFACTORY_USER }} - artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} - artifactory-url: ${{ secrets.ARTIFACTORY_URL }} + artifactory-user: ${{ env.artifactory-user }} + artifactory-api-token: ${{ env.artifactory-token }} + artifactory-url: ${{ env.artifactory-url }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json build-content-path: ${{ env.goversionm }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72de031e98..67531025be 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,12 +31,17 @@ jobs: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-tags: 'true' + + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -59,14 +64,20 @@ jobs: lint: name: Lint runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -95,14 +106,20 @@ jobs: unit-test: name: Unit Tests runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -124,14 +141,20 @@ jobs: race-condition-test: name: Unit tests with race condition detection runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -148,16 +171,22 @@ jobs: build-unsigned-snapshot: name: Build Unsigned Snapshot runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-tags: 'true' + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -188,6 +217,8 @@ jobs: name: Integration Tests needs: build-unsigned-snapshot runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication strategy: matrix: container: @@ -199,12 +230,16 @@ jobs: version: "3.23" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -244,6 +279,8 @@ jobs: name: Upgrade Tests needs: build-unsigned-snapshot runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication strategy: matrix: container: @@ -255,12 +292,16 @@ jobs: version: "3.22" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -301,6 +342,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication strategy: matrix: container: @@ -318,12 +361,16 @@ jobs: release: "alpine" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -366,6 +413,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication strategy: matrix: container: @@ -391,12 +440,17 @@ jobs: path: "/nginx-plus/agent" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' + - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -407,17 +461,28 @@ jobs: ~/.cache/go-build ~/go/pkg/mod key: ${{ runner.os }}-go- + + - name: Sync NGINX Plus License + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }} + secrets-filter: 'docker,nginx-private-registry,nginx-pkg' + - name: Download Packages uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: nginx-agent-unsigned-snapshots path: build + - name: Login to Docker Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - registry: ${{ secrets.TEST_REGISTRY_URL }} - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} + registry: ${{ env.nginx-private-registry-url }} + username: ${{ env.nginx-pkg-jwt }} + password: "none" - name: Create Results Directory run: mkdir -p ${{ github.workspace }}/test/dashboard/logs/${{ github.job }}/${{matrix.container.image}}-${{matrix.container.version}} @@ -430,10 +495,10 @@ jobs: - name: Run Integration Tests run: | go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }} - CONTAINER_NGINX_IMAGE_REGISTRY="${{ secrets.TEST_REGISTRY_URL }}" \ + CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" \ TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \ OS_RELEASE="${{ matrix.container.release }}" OS_VERSION="${{ matrix.container.version }}" IMAGE_PATH="${{ matrix.container.path }}" \ - NGINX_LICENSE_JWT='${{ secrets.TEST_JWT }}' \ + NGINX_LICENSE_JWT='${{ env.nginx-pkg-jwt }}' \ make official-image-integration-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}-${{matrix.container.version}}/raw_logs.log exit "${PIPESTATUS[0]}" @@ -446,6 +511,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication strategy: matrix: container: @@ -463,12 +530,16 @@ jobs: release: "alpine" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -511,6 +582,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write # for OIDC authentication strategy: matrix: container: @@ -536,12 +609,16 @@ jobs: path: "/nginx-plus/agent" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -557,12 +634,21 @@ jobs: with: name: nginx-agent-unsigned-snapshots path: build + - name: Sync NGINX Plus License + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }} + secrets-filter: 'docker,nginx-private-registry,nginx-pkg-jwt' + - name: Login to Docker Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - registry: ${{ secrets.TEST_REGISTRY_URL }} - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} + registry: ${{ env.nginx-private-registry-url }} + username: ${{ env.nginx-pkg-jwt }} + password: "none" - name: Create Results Directory run: mkdir -p ${{ github.workspace }}/test/dashboard/logs/${{ github.job }}/${{matrix.container.image}}-${{matrix.container.version}} @@ -575,10 +661,10 @@ jobs: - name: Run Integration Tests run: | go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }} - CONTAINER_NGINX_IMAGE_REGISTRY="${{ secrets.TEST_REGISTRY_URL }}" \ + CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" \ TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \ OS_RELEASE="${{ matrix.container.release }}" OS_VERSION="${{ matrix.container.version }}" IMAGE_PATH="${{ matrix.container.path }}" \ - NGINX_LICENSE_JWT="${{ secrets.TEST_JWT }}" \ + NGINX_LICENSE_JWT="${{ env.nginx-pkg-jwt }}" \ make metrics-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}-${{matrix.container.version}}/raw_logs.log exit "${PIPESTATUS[0]}" @@ -591,15 +677,20 @@ jobs: runs-on: ubuntu-22.04 needs: build-unsigned-snapshot permissions: + id-token: write # for OIDC authentication contents: write # Needed for pushing benchmark results to github branch steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -633,6 +724,7 @@ jobs: name: Load Tests if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} permissions: + id-token: write # for OIDC authentication contents: write # Needed for pushing benchmark results to github branch runs-on: ubuntu-22.04 needs: build-unsigned-snapshot @@ -662,6 +754,15 @@ jobs: - name: Set env run: echo "GO_VERSION=$(cat go.mod | grep toolchain | sed 's/toolchain //; s/go//')" >> $GITHUB_ENV + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }} + secrets-filter: 'nginx-pkg' + - name: Build Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 env: @@ -674,8 +775,8 @@ jobs: load: true no-cache: true secrets: | - "nginx-crt=${{ secrets.NGINX_CRT }}" - "nginx-key=${{ secrets.NGINX_KEY }}" + "nginx-crt=${{ env.nginx-pkg-certificate }}" + "nginx-key=${{ env.nginx-pkg-key }}" build-args: | OSARCH=amd64 GO_VERSION=${{ env.GO_VERSION }} @@ -708,4 +809,4 @@ jobs: - name: Push load test result if: ${{ success() && github.ref_name == 'main' }} - run: git push 'https://github-actions:${{ secrets.GITHUB_TOKEN }}@github.com/nginx/agent.git' benchmark-results:benchmark-results + run: git push 'https://github-actions:${{ github.token }}@github.com/nginx/agent.git' benchmark-results:benchmark-results diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml index 2b1dc3b1f1..3c310dd7ff 100644 --- a/.github/workflows/f5-cla.yml +++ b/.github/workflows/f5-cla.yml @@ -47,5 +47,5 @@ jobs: # Do not lock PRs after a merge. lock-pullrequest-aftermerge: false env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }} diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml index 256fee4989..18a0dad133 100644 --- a/.github/workflows/label-pr.yml +++ b/.github/workflows/label-pr.yml @@ -18,4 +18,4 @@ jobs: with: disable-releaser: true env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index f3bcead4aa..fc1e687dcf 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -45,7 +45,6 @@ on: env: NFPM_VERSION: 'v2.35.3' - GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL_PROD }}" defaults: run: @@ -213,6 +212,15 @@ jobs: with: ref: ${{ inputs.releaseBranch }} + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' + - name: Setup go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -234,13 +242,10 @@ jobs: - name: Build Packages env: - GPG_KEY: ${{ secrets.INDIGO_GPG_AGENT }} - NFPM_SIGNING_KEY_FILE: .key.asc VERSION: ${{ env.VERSION }} PACKAGE_BUILD: ${{ inputs.packageBuildNo }} run: | export PATH=$PATH:~/go/bin - echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE} make package find build/ -type f -name "nginx-agent*" @@ -290,23 +295,6 @@ jobs: run: | make release - assertion-document: - name: Build and Generate Assertion Document - needs: [build-and-upload-packages] - if : ${{ inputs.assertionDoc == true }} - uses: ./.github/workflows/assertion.yml - permissions: - id-token: write - contents: read - with: - packageVersion: ${{ inputs.packageVersion }} - runId: ${{ github.run_id }} - secrets: - ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} - ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} - ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL }} - - merge-release: if: ${{ needs.vars.outputs.create_pull_request == 'true' }} name: Merge release branch back into main branch diff --git a/.github/workflows/upload-release-assets.yml b/.github/workflows/upload-release-assets.yml index 374e439d44..4deb17d2f3 100644 --- a/.github/workflows/upload-release-assets.yml +++ b/.github/workflows/upload-release-assets.yml @@ -52,6 +52,7 @@ jobs: runs-on: ubuntu-22.04 needs: [vars] permissions: + id-token: write # for OIDC authentication contents: write # Needed for uploading release assets to GitHub steps: - name: Checkout Repository @@ -59,12 +60,21 @@ jobs: with: ref: ${{ inputs.releaseBranch }} + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }} + secrets-filter: 'nginx-pkg' + - name: Download Packages run: | echo "Checking Packages in ${{inputs.pkgRepo}}/nginx-agent" - echo "${{secrets.PUBTEST_CERT}}" > pubtest.crt - echo "${{secrets.PUBTEST_KEY}}" > pubtest.key + echo "${{ env.nginx-pkg-certificate }}" > pubtest.crt + echo "${{ env.nginx-pkg-key }}" > pubtest.key DL=1 PKG_REPO=${{inputs.pkgRepo}} \ CERT=pubtest.crt KEY=pubtest.key \ @@ -73,7 +83,7 @@ jobs: - name: GitHub Upload if: ${{ needs.vars.outputs.github_release == 'true' }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} # clobber overwrites existing assets of the same name run: | gh release list @@ -92,16 +102,18 @@ jobs: with: inlineScript: | echo "Uploading tarball... nginx-agent/release-${{ inputs.pkgVersion }}/nginx-agent.tar.gz" - az storage blob upload --auth-mode=login -f "${{ inputs.pkgRepo }}/nginx-agent/nginx-agent.tar.gz" \ + az storage blob upload --auth-mode=login \ + -f "${{ inputs.pkgRepo }}/nginx-agent/nginx-agent.tar.gz" \ -c ${{ secrets.AZURE_CONTAINER_NAME }} \ - --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n nginx-agent/release-${{ inputs.pkgVersion }}/nginx-agent.tar.gz + --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} \ + --overwrite -n nginx-agent/release-${{ inputs.pkgVersion }}/nginx-agent.tar.gz echo "Uploading packages..." for i in $(find ${{ inputs.pkgRepo }}/nginx-agent | grep -e "nginx-agent[_-]${{ inputs.pkgVersion }}"); do dest="nginx-agent/release-${{ inputs.pkgVersion }}/${i##*/}" echo "Uploading ${i} to ${dest}" az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_CONTAINER_NAME }} \ - --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n ${dest} + --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n ${dest} done - name: Azure Logout diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml index 287c58f692..20e519b48f 100644 --- a/.github/workflows/vulncheck.yml +++ b/.github/workflows/vulncheck.yml @@ -5,13 +5,13 @@ on: target-branch: description: 'Target branch to run govulncheck against' type: string - required: false + required: true default: 'main' workflow_dispatch: inputs: target-branch: description: 'Target branch to run govulncheck against' - required: false + required: true default: 'main' permissions: diff --git a/.nfpm.yaml b/.nfpm.yaml index abc2bb7d2b..ca301f29ad 100644 --- a/.nfpm.yaml +++ b/.nfpm.yaml @@ -41,15 +41,8 @@ overrides: depends: - apt-transport-https deb: - signature: - method: dpkg-sig - key_file: ".key.asc" rpm: - signature: - key_file: ".key.asc" apk: - signature: - key_file: ".key.rsa" scripts: preupgrade: "./scripts/packages/preinstall.sh" postupgrade: "./scripts/packages/postinstall.sh" diff --git a/Makefile.packaging b/Makefile.packaging index e9ab80413e..555ae02acf 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -35,7 +35,7 @@ $(PACKAGES_DIR): @mkdir -p $(PACKAGES_DIR)/deb && mkdir -p $(PACKAGES_DIR)/rpm && mkdir -p $(PACKAGES_DIR)/apk .PHONY: package -package: gpg-key $(PACKAGES_DIR) #### Create final packages for all supported distros +package: $(PACKAGES_DIR) #### Create final packages for all supported distros # Build binaries for all supported architectures @for arch in $(DEB_ARCHS); do \ mkdir -p $(BUILD_DIR)/$${arch}; \ diff --git a/test/docker/load/Dockerfile b/test/docker/load/Dockerfile index a1eeb4ee84..ac43d3dfea 100644 --- a/test/docker/load/Dockerfile +++ b/test/docker/load/Dockerfile @@ -7,6 +7,8 @@ ARG DEBIAN_FRONTEND=noninteractive WORKDIR /agent COPY . /agent +ENV PLUS_VERSION=R35 + RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \ --mount=type=secret,id=nginx-key,dst=nginx-repo.key \ set -x \